Cloudflare Sandbox

Cloudflare Sandbox is a software package designed for developers and system administrators to easily apply Linux seccomp system call filtering to applications. It simplifies the process of enhancing security by restricting the system calls a process can make, without needing to write any custom code.

Core Components & Usage

The package offers two main components for different types of executables:

• libsandbox.so: A dynamically linked library for use with dynamically linked executables. It is injected using the LD_PRELOAD dynamic linker option. This method allows for tighter filtering as it is executed after runtime framework initialization is complete.
• sandboxify: A command-line utility designed for statically linked executables. It launches the target application and applies the seccomp filter using ptrace.

Security Policy Configuration

Security policies are defined through simple environment variables:

• SECCOMP_SYSCALL_ALLOW: A whitelist of allowed system calls. Any unlisted system call will terminate the process.
• SECCOMP_SYSCALL_DENY: A blacklist of forbidden system calls. Attempting a blacklisted call will terminate the process.

Key Features

• Codeless Configuration: Define security rules using simple, colon-separated lists in environment variables.
• Permissive Log Mode: Instead of terminating a process for a policy violation, the sandbox can be configured to log the attempt, which is useful for developing and debugging security policies.
• Targeted Filtering: Provides different tools for dynamically and statically linked binaries to achieve optimal security.